Checkmarx on Tuesday confirmed that last month’s supply chain attack targeting its KICS open source project also resulted in data theft.
The compromise was a result of the Trivy supply chain attack and allowed the attackers to hijack dozens of GitHub Action version tags to reference malware without visible changes.
Attributed to the infamous TeamPCP hacking group, the compromise was part of a large campaign targeting multiple open source software ecosystems for credential and sensitive information theft.
Around the same time that Checkmarx was hit, messages posted by TeamPCP and the infamous Lapsus$ extortion group suggested the two threat actors might have partnered for monetization purposes.
Over the weekend, one month after the compromise, Lapsus$ added Checkmarx to its Tor-based leak site, claiming the theft of source code, employee databases, API keys, and MongoDB and MySQL credentials.
“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026,” Checkmarx said on Tuesday.
The hackers accessed Checkmarx’s GitHub environment using credentials compromised via the Trivy hack on March 23 and poisoned two OpenVSX plugins and two GitHub Actions workflows.
The company removed the malicious packages, revoked and rotated relevant credentials, and blocked outbound access to the attacker’s infrastructure.
Despite these measures, the attackers either retained or regained access to the environment, and on April 22, published a fresh round of malicious code by poisoning a DockerHub KICS image, a GitHub action, a VS Code extension, and a Developer Assist extension.
The second Checkmarx incident resulted in the compromise of the Bitwarden command-line interface (CLI) NPM package, one of the most popular open source password management platforms.
The last phase in the Checkmarx supply chain attack was the publishing of a 96GB archive containing data that Lapsus$ claims was stolen from the company.
“As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026,” Checkmarx says.
As part of its ongoing efforts to remedy the issue, the company notified law enforcement, retained Mandiant to assist with the investigation, performed a broader credential reset, strengthened security controls, locked down access to GitHub repositories, and launched a code audit.
“We are now in the final stages of our investigation and confirming that the unauthorized access has been fully contained. We will share further on this as soon as we are able,” Checkmarx says.
Related: Vimeo Confirms User and Customer Data Breach
Related: Luxury Cosmetics Giant Rituals Discloses Data Breach
Related: Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak
